To Patch or Not To Patch. That is the Question.
When To Patch?
Timing a patch should be a serious security problem for your IT administrator, because there are consequences in patching too early or too late.
Why patching earlier may be the safer bet.
When Microsoft, Apple, or other software companies release updates and patches for their systems or software platforms, it is because they’ve identified a problem—often security vulnerabilities—in their software. Many of these vulnerabilities are exploited by cybercriminals and used to penetrate business networks. If you patch too late, you may be putting your business at risk of hacks, data ransoms and attacks that may cripple your business.
If you patch too early, your users may not like it.
But sometimes initial patches may come with bugs. Newly released patches sometimes have problems of their own. Maybe they aren’t compatible with the complete suite of software your business uses. If you patch too early, your business may be slowed down because of patch glitches that haven’t yet been ironed out.
Because patching is a critical component to your business’ network maintenance and security risk prevention, you should understand what your IT Support Team is doing to patch your network so that you are assured that your organization is (1) safe from attacks, but also (2) does not encounter chronic work stoppages because patching took place before a patch has been vetted.
We already understand the importance of patching:
Likely, any security administrator would agree that eliminating vulnerabilities on your network are imperative to keeping your team, clients and business safe from prying eyes. Patching is undoubtedly one of the easiest proactive ways a business can keep hackers from penetrating its network. Since patching removes easy-to-find holes AND many businesses still fail to apply patches regularly, the job of a cybercriminal is relatively easy.
Cybercriminals simply have to (1) identify a network where a security patch was not applied and (2) use that vulnerability to get in and ransom, steal or exploit businesses.
Most of these criminals don’t have to do much to get in. Skilled hackers will evaluate released patches, identify the specific vulnerability and find an easy entry into a network. Many of these criminals will even share or sell kits to get criminals lacking coding skills to attack vulnerable networks. Most simply download some code and follow a manual. What’s troubling with this is that Attacking your business has become as easy as putting together that Ikea bookcase. If a criminal can follow line by line instructions, they likely will penetrate your network if you aren’t patching security vulnerabilities.
The costs of patching vs leaving your network vulnerable
To understand when the best time to patch your network, we’ve evaluated costs relating to leaving your network unpatched vs patching your network before rigorous testing fixes any problems with a patch.
But for those of us who may need to visualize the problem, take a look at the figure below:
As more and more criminals and hackers learn about a vulnerability—or find a way to exploit that vulnerability—your risk of being a target, losing sensitive information and becoming a victim increases exponentially (red line).
On the other hand, if newly released patch had bugs, software developers often fix problems quickly (yellow line). Over time, problematic bugs should be non-existent.
What you Risk When You Don’t Patch
Security Breaches are expensive. There’s no way around the growing, often hidden, costs of a cyberattack. Data is currently one of the most valuable resources on the planet— more valuable than gold. If you end up losing your data through a ransom attack or have sensitive data leaked because your IT Support Team was negligent in applying patches, the sky could be the limit when it comes from unforeseen costs relating to an attack. In fact, 60% of businesses that get hacked go out of business within 6 months of the attack.
But Patching Is Not Cost-Free.
Your IT Team needs to devote time to identifying patches that your business should consider applying as well as testing for any down-stream repercussions that a patch might have on your network. There are cases where applied patches have led to a variety of issues on a network: loss of stability, unexpected interactions with local configurations, loss of functionality, or even instances where the patch didn’t fix the security problem. If a patch is misapplied or turned out to be incompatible with your network, your users could quite possibly experience downtime and your network might not be as secure as the patch might believe you to be.
Patching requires that your IT Support team constantly monitor patch releases, know possible issues with your specific network configurations and, in the event a patch did not work, find an alternative resolution. What you should understand is that patching is not simply an automated process, where after a click of a button, you’re network is safe and worry free. It is a timely application and evaluation of your network. It requires seasoned experts familiar with your specific network to test and identify problems. Most of the time (nearly 80% to be exact), IT Support teams end up not patching your network simply because it’s too time consuming [Note: Zog regularly monitors, tests patches as one way of ensuring your business data is secure].
If your IT Support Team has been doing their due diligence to test patches before applying them, your chances of having a serious problem on your network get greatly reduced. On average, testing a patch before applying it on a live network reduces the number of user issues by 70%.
If you wanted to risk having a vulnerability exposed to criminals for a period of time, you might also consider waiting until a patch has been fully vetted by the software company issuing the patch. On average, patch validation (bug-fixing) takes 10 days, although hackers likely will already have a way to exploit the security vulnerability at that point.
Still on the Fence About Patching Your Network?
If patches aren’t maintained, you have a bigger risk of cyberattacks. While most people may think that “that will never happen to me or my business”, the reality is that criminals scope out vulnerabilities. In fact, on the Dark Web, criminals can download small pieces of software that can identify businesses that have easy vulnerabilities—most of these are because patching and maintenance are not being regularly done.
The likelihood of you getting attacked goes up exponentially after an exploit is discovered and patches are released. In fact, every day you wait without being patched, your business is more than 10 times more likely to have sensitive data (Social Security Numbers, Bank Accounts, Client Contact Info) breached, ransomed or stolen.
A diligent IT Support Team should be constantly evaluating when to apply patching:
Should I rush to apply patches of unknown quality to critical systems and risk resulting in outages because of bugs in the patch?
Should I delay patching and risk the network gets compromised because of a well-known vulnerability?
Your network security and functionality relies on the decision of patching early vs patching later. A lot of variables may come into play when making a decision (and the decision to apply should be made after testing a patch).
Does your IT Support Team know what it’s doing when it comes to patching? Do they evaluate costs and benefits to ensure your users are able to work safely? Do they test patches before releasing buggy versions on your entire network? If you aren’t sure how your IT Support team manages patches, contact us today for a FREE security assessment.